.. This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/by/3.0/legalcode =========================================================== New attributes for SAML Assertion generated by keystone IdP =========================================================== `bp assertion-extra-attributes `_ It is necessary to add new attributes to SAML assertions generated by a keystone IdP in order to uniquely identify users and projects. Problem Description =================== When using keystone-to-keystone federation, a deployer can map a keystone Identity Provider into multiple domains in the keystone Service Provider. The keystone acting as Identity Provider may also have multiple domains as well. With this kind of **m** x **n** relationship between domains present in both Identity Provider and Service Provider it is critical for the mapping being used to have the power to correctly identify the different entities (users and projects) involved in the mapping process. Currently, SAML assertions (and ECP wrapped SAML assertions) generated by a keystone Identity Provider contain three attributes: ``openstack_user``, ``openstack_project`` and ``openstack_roles``. The value of each attribute is the **name** of the entity that is represented. This leads to a problem when using mapping rules to uniquely identify users and projects, neither have unique names across domains - we might map different users and projects to the same entity in a keystone Service Provider, which may cause resources to be accessed by unauthorized users. Proposed Change =============== Since users and projects have unique names in their domains, adding two new attributes, ``openstack_user_domain`` and ``openstack_project_domain``, to the SAML assertion generated by the keystone IdP solves this issue. Alternatives ------------ Represent ``openstack_user`` and ``openstack_project`` by their IDs, this have the issue of not being backwards compatible: mapping rules previously created would stop working. Security Impact --------------- None Notifications Impact -------------------- None Other End User Impact --------------------- None Performance Impact ------------------ None Other Deployer Impact --------------------- Currently deployers already using keystone-to-keystone federation may want to update their mapping rules to include the new attributes. Developer Impact ---------------- None Implementation ============== Assignee(s) ----------- Rodrigo Duarte Sousa Work Items ---------- * Add openstack_user_domain in SAML assertion generation * Add openstack_project_domain in SAML assertion generation * Update documentation to add the new attributes Dependencies ============ None Documentation Impact ==================== The new attributes should be documented. References ========== None